Hackers Using Stolen D-Link Certificates for Malware Signing

A cyber-espionage group is abusing code-signing certificates stolen from Taiwan-based companies for the distribution of their backdoor, ESET reports.

The group, referred to as BlackTech, appears highly skilled and focused on the East Asia region, particularly Taiwan. The certificates, stolen from D-Link and security company Changing Information Technology Inc., have been used to sign the Plead backdoor, ESET's security researchers say.

The Plead campaign is believed to have been active since at least 2012, often focused on confidential documents and mainly targeting Taiwanese government agencies and private organizations.

Evidence of the fact that the D-Link certificate was stolen comes from the fact that it was used to sign non-malicious D-Link software, not only the Plead malware, ESET explains.

After being informed on the misuse of its certificate, D-Link revoked it, along with a second certificate, on July 3. In an advisory, the company said that most of its customers should not be affected by the revocation.

“D-Link was victimized by a highly active cyber espionage group which has been using PLEAD Malware to steal confidential information from companies and organizations based in East Asia, particularly in Taiwan, Japan, and Hong Kong,” the company said.

Changing Information Technology Inc., also based in Taiwan, revoked the misused certificate on July 4, but the threat actor continued to use it for malicious purposes even after that date, ESET reveals.

The signed malware samples also contain junk code for obfuscation purposes, but all perform the same action: they either fetch from a remote server or open from the local disk encrypted shellcode designed to download the final Plead backdoor module.

The malware can steal passwords from major web browsers, such as Chrome, Firefox, and Internet Explorer, and from Microsoft Outlook.

According to Trend Micro, the Plead backdoor can also list drives, processes, open windows and files on the compromised machine, can open remote shell, upload files, execute applications via ShellExecute API, and delete files.

“Misusing digital certificates is one of the many ways cybercriminals try to mask their malicious intentions – as the stolen certificates let malware appear like legitimate applications, the malware has a greater chance of sneaking past security measures without raising suspicion,” ESET notes.

The use of code-signing certificates for malware delivery isn’t a novel practice, and the Stuxnet worm, which was discovered in 2010, is a great example of how long threat actors have been engaging in such practices. The first to target critical infrastructure, Stuxnet used digital certificates stolen from RealTek and JMicron, well-known Taiwanese tech companies.